Gdpr

The California California Consumer Privacy Act (CCPA ) is a new consumer protection law which comes in effect from 1st January 2020 and is yet another sign that data protection is now taken very seriously. This follows closely in the steps of the General Data Protection Regulations ( GDPR) which were launch in May 2018.

Who does this apply to ?

This law is applicable in the state of California where organisations carry our business that involves collecting and processing the personal information of individuals.

If an organisation earns more than 50% of their revenue from the selling of a consumers personal records.

If all any of this criteria is met then the CCPA will be applicable and the business will have to adhere to these regulations.

What are the consequences of non- compliance?

Should this be the case it is possible that the business could face the following penalties :-

Civil Penalty up to $7,500 for each intentional violation and $2,500 for other violations

In addition to this the victims of a data breach may obtain $100 to $750 per consumer, per incident.

The importance of how a business manages its data is therefore of the utmost importance in order that these regulations are complied with and to avoid any penalties that stem from a breach of these regulations.

Some guidelines to the management of data

Ensure that all employees are updated with this legislation and carry out training as applicable.

Ensure that all processes and procedures are aligned to comply with the new legislation and if not introduce new ones to cater for this.

Carry out a review of cyber security within the organisation and implement upgrades and improvements where necessary in order to mitigate a possible data breach.

Where necessary bring into line privacy notices and policies on websites and other public facing forums.

The protection of data is becoming a core value within businesses as in the event of a data breach the costs to manage this and the impact on their reputation can be severe.

The risk of a data breach is also now higher than ever with the changing cyber risk landscape. New ransomware strains and malware are evolving so keeping up to date protections in place is vitally important. GDPR is a clear driver of the approach that the C Suite has to instigate to protect and secure their businesses.

Among the many areas that IT Security has focused upon is back-up which is essential in protecting data. This makes it retrievable in the event of a compromise of data due to a cyber-attack.

ChangeinPhilosophy

GDPR was a long time coming and businesses have struggled to find the resource to put in place processes to achieve compliance. Some were ahead of the game and some struggled to meet the deadline of 25th May 2018.

The philosophy to cyber security has also reached an engagement point where businesses are looking beyond GDPR. Businesses are now seeking cyber security accreditation’s such as ISO27001.

GlobalEffect

Other countries are also taking note of the impact that GDPR is having and bringing in similar legislation of their own.

For example the California Consumer Privacy Act (CCPA) which comes into force on 1st January next year.This provides consumers with certain rights over their personal data which is held by businesses and is an obvious parallel with GDPR.

GDPRFines

Regulators to date have issued in excess of 200.000 fines of which 65,000 were related to data breaches . Fines totalled E56M which includes the E50M levied against Google by the Irish Data Protection Commissioner. In this case new users were inadequately advised how personal data was collected and how this was subsequently used.

The fear of potential fines being issued of up to 4% of global turnover of a business by the regulators has not materialised yet. However from a speech made by Elizabeth Dunham , the U.K. Commissioner of the ICO recently stated in a speech that this may be about to change later in the year. The ICO it is understood have a couple of very large cases that are currently being reviewed.

Both Equifax and Uber have been fined over the past twelve months but this was under previous legislation and not GDPR.

The impact of GDPR does appear to have improved cyber security standards. We are however waiting to see how regulatory bodies will impose the full force of non-compliance in the event of a cyber-attack that results in a significant data breach.

The hotel industry has been a prime target for hackers and this trend is likely to continue. So why are cyber attacks so prevelant within this sector?

VolumesofData

Hotels hold vast quantities of data through many sources such as through their reservation systems for their customers . This will be personally identifiable information that would consist of names, addresss , e-mail addresses and passport details.

On–linePaymentProcessing

Customers will log-in on a hotel website to make a reservation which will require them to provide debit or credit card details. These details could be compromised in the event of a data breach. Payment transactions can also remain exposed for a while on computer systems which presents further opportunity. In 2017 hotels accounted for 92% of all point of sale intrusions.

Wi–Fi

The wi-fi in some hotels can be relatively insecure if their cyber security processes and procedures are not as robust as they should be. This can also lead to their data being compromised.

Symantec released a report this week which revealed that 67% of hotel websites surveyed leaked customer’s booking data. This was over 1500 hotel websites in 54 countries , this equates to two in three websites data could be used by third party sites such as advertisers.

Hotels relies on a supply chain which can include a number of contractors, broking and travel agencies . If there is a vulnerability with one of these it is possible that the hotel may be impacted by this causing business interruption or a data loss.

An Attractive Sector

This sector is a target because of the size of the market and the revenue that is generated each year, this provides opportunists threats for cyber criminals and the proliferation of fraud.

CyberAttacksontheHotelIndustry

There have been a number of high profile cyber attacks on hotels where hackers have sought to steal data or cause disruption to the business.

MarriotInternationalHotels

This is the largest data breach in this sector but also one of the largest in the world.

500 million guests were exposed to this cyber attack which included names and addresses and passport numbers. The attack emanated from the Starwood guest reservation database with who they had recently merged.Starwood themselves had previously experienced a data breach a number of years earlier.

It was announced last week that the credit reference agency Equifax has been fined by the ICO in the sum of £500,000 as a result of failing to protect the personal data of 15 million UK citizens and 146 million in the US during the 2017 data breach.

IT security was not of the highest standard with the compromise of data being likely.

The US Department of Homeland Security had advised Equifax Inc about a critical vulnerability in 2017

Customers data should have been treated in a much higher regard.

The investigation was carried out under the 1998 Data Protection Act as opposed to the recent General Data Protection Regulation (GDPR) that came into force on 25th May this year. The ICO imposed the maximum GDPR fine of £500,000 under the previous Act.

Under the GDPR the ICO has the powers to set a maximum possible fine of 4% of Global turnover of a company the consequences therefore of this data breach could have been much higher should this data breach have occurred post 25th May this year.

The approach by the ICO to GDPR fines and the imposing of these to businesses who are responsible for data breach is still very much unknown as the climate remains untested and only time will tell how this is imposed and to its possible severity. The Equifax fine does suggest that the ICO will be treating such data breaches very seriously and will wish to demonstrate that the new legislation does have “teeth” and that they will act accordingly.

The volumes of data running through businesses in the UK is difficult to visualise and practically impossible to safeguard so will GDPR actually make any difference to our data being better protected? The chances are that it will be but the same inherent threats will still exist.

So what are these threats ?

1.Businesses that have not yet complied with GDPR

In the the run up to GDPR a number of reports indicated that many business were behind in achieving the required standards expected there is therefore a danger that firms are still very much behind the curve in meeting the GDPR standards.

2.Inability to restore data

In the event of a compromise of personal data it will be important that a businesses can restore data by having the appropriate back-ups in place if this is not possible this will impact on their business confidence and reputation.

3.Internal espionage

Rogue employees or a disgruntled member of staff might wish to cause disruption or make a point on a company wide issue. Morrisons were recently involved in a court case and found vicariously liable for the acts of an employee who gained access to the personal details of employees and released this into the public domain.

It is conceivable that there will a visible increase in cyber attacks on businesses as hackers will target firms for their data and exploiting vulnerabilities. Such threats as ransomware or a DDos attack where a hacker could hold a business to ransom by threatening to steal or disseminate data.

A data controller with poor cyber risk management would be a prime target for a hacker. Basic cyber hygiene is vital with minimum standards of Cyber Essentials and preferably ISO27001 advanced cyber security processes in place.

6. The absence of an incident response plan

If a businesses is hit by a data breach it will need to react quickly to this, an incident response will assist with this . Business continuity and disaster recovery plans should also be in place so that the business can continue to operate.

Cyber Insurance can help….

This specialist form of insurance can provide valuable coverage in the event of a data breach and help mange the impact of this.

The main elements of coverage provided to protect data are as follows:-

Privacy Liability

Data notification costs

Regulatory costs and expenses

24/7 Incident response services

There is no doubt that data will still be at risk with threats to its security emerging as technology and the incentives to use data for ill means increases.

On the 25th May the General Data Protection Regulations ( GDPR ) comes into force which will change the whole world of how personal data is managed for individuals that live within the EU member states.

The concept behind this is to give people back control of their data which imposes strict data protection obligations on businesses and provides individuals with the right of redress should their data not be managed in accordance with these regulations.

Despite the fact that the UK will be leaving the EU next year, the regulations will apply to UK businesses after which these will then be replaced by the proposed Data Protection Bill that will impose similar data protection regulations.

GDPR is arguably long over due, in the UK we currently have the Data Protection Act 1998, to put this into context at the time that this was implemented , there are analogue television and dial – up internet…. .. The increase in the use of personal data has increased dramatically since then due to the advances in technology and how people interact with the many modes of communication such as social media.

In the UK the Information Commissioners Office (ICO) will monitor and regulate the GDPR. The ICO website provides a guide to businesses explaining their obligations and to help those individuals who have day to day responsibility for data protection within their organisation.

The profile of GDPR is gathering moment and no doubt individuals will wish to be aware of the amounts data that is held against their name. With this will bring about situations where individuals request details and these are unavailable due to non-compliance with business being unable to produce the information at all or within the required time limits.

The other issue and the one with the most significant consequences is where a business suffers a data breach as a result of a hacker attack or an perhaps an error or deliberate act by an employee, the details are then disseminated into the public domain or used for ill gotten gains. The ICO has powers to issue fines of up to 4% of worldwide turnover of a businesses or 20 million Euros whichever is the greater. This is an uplift from GBP500,000 under the current regulations, this therefore represents a significant increase and demonstrates that a serious non-compliance will have severely consequences.

Managing GDPR

It will be essential that the correct processes and procedures are in place and in the event of a data breach it is important that an incident response plan is readily available whether this having been drawn up internally or with the help of a specialist consultancy. The incident response plan will consists of various vendors to help manage the breach such as lawyers and public relations consultants.

A cyber insurance policy provides such resources and is offered by insurers on a 24/7 basis should the policyholder be subject to a data breach.

The management of these new regulations within a businesses is going to be a fundamental focal point going forward with personal at all levels needing to be aware of their day to day obligations in the processing and handling of data.